Seagate GoFlex Satellite Remote Telnet Default Password

2015-12-18T00:00:00
ID PACKETSTORM:134986
Type packetstorm
Reporter Matthew Bergin
Modified 2015-12-18T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password  
  
Title: Seagate GoFlex Satellite Remote Telnet Default Password  
Advisory ID: KL-001-2015-007  
Publication Date: 2015.12.18  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-007.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Seagate  
Affected Product: GoFlex Satellite  
Affected Version: 1.3.7  
Platform: Embedded Linux  
CWE Classification: CWE-288: Authentication Bypass Using an  
Alternate Path or Channel; CWE-798: Use of Hard-coded Credentials  
Impact: Remote Administration  
Attack vector: Telnet  
CVE-ID: CVE-2015-2874  
  
2. Vulnerability Description  
  
Seagate GoFlex Satellite Mobile Wireless Storage devices  
contain a hardcoded backdoor account. An attacker could use  
this account to remotely tamper with the underlying operating  
system when Telnet is enabled.  
  
3. Technical Description  
  
root@wpad:/tmp/jfroot# ls  
bin boot dev etc home include lib linuxrc media mnt proc  
satellite_app sbin share srv static sys tmp usr var  
root@wpad:/tmp/jfroot# cd etc  
root@wpad:/tmp/jfroot/etc# ls  
angstrom-version default fstab init.d  
iproute2 motd org_passwd protocols  
rc4.d rS.d terminfo udhcpc.d  
autoUpdURL device_table group inittab  
issue mtab passwd rc0.d  
rc5.d scsi_id.config timestamp udhcpd.conf  
avahi device_table-opkg host.conf inputrc  
issue.net network passwd- rc1.d  
rc6.d services tinylogin.links udhcpd_factory.conf  
busybox.links fb.modes hostname internal_if.conf  
localtime nsswitch.conf profile rc2.d  
rcS.d skel ts.conf version  
dbus-1 filesystems hosts ipkg  
mke2fs.conf opkg profile.d rc3.d  
rpc syslog.conf udev  
root@wpad:/tmp/jfroot/etc# cat passwd  
root:VruSTav0/g/yg:0:0:root:/home/root:/bin/sh  
daemon:*:1:1:daemon:/usr/sbin:/bin/sh  
bin:*:2:2:bin:/bin:/bin/sh  
sys:*:3:3:sys:/dev:/bin/sh  
sync:*:4:65534:sync:/bin:/bin/sync  
games:*:5:60:games:/usr/games:/bin/sh  
man:*:6:12:man:/var/cache/man:/bin/sh  
lp:*:7:7:lp:/var/spool/lpd:/bin/sh  
mail:*:8:8:mail:/var/mail:/bin/sh  
news:*:9:9:news:/var/spool/news:/bin/sh  
uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:*:13:13:proxy:/bin:/bin/sh  
www-data:*:33:33:www-data:/var/www:/bin/sh  
backup:*:34:34:backup:/var/backups:/bin/sh  
list:*:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:*:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh  
xoFaeS:QGd9zEjQYxxf2:500:500:Linux User,,,:/home/xoFaeS:/bin/sh  
  
The xoFaeS user cracked to etagknil.  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has released a patch that can be  
obtained using the Download Finder located at  
https://apps1.seagate.com/downloads/request.html  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2015.09.11 - Vulnerability details and PoC sent to Seagate.  
2015.09.15 - Seagate confirms receipt.  
2015.09.28 - Seagate indicates a patch is ready but not yet available to  
the public.  
2015.09.28 - KoreLogic asks Seagate if they have obtained a CVE-ID for  
the vulnerability.  
2015.10.27 - Seagate notifies KoreLogic that the patch is publicly  
available. Seagate indicates they are waiting for a CVE  
before releasing a security advisory.  
2015.12.08 - KoreLogic requests an update on the CVE-ID and associated  
Seagate advisory.  
2015.12.08 - Seagate responds with a link to  
http://www.kb.cert.org/vuls/id/903500  
2015.12.18 - Public disclosure.  
  
7. Proof of Concept  
  
N/A  
  
The contents of this advisory are copyright(c) 2015  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQEcBAEBCAAGBQJWdHjEAAoJEE1lmiwOGYkM++wH/1h7kz+0f1Ptwczn7nkoAj+H  
ggoR+6mbSDBTw1gj58oYjIo2HEvnryoclqGZiwsDe5G4g9dYV8PV0qHTuNDf/lRV  
F6EcUTZ4z5YFLMf6bOXazaeVJPsbzjw1JvdMyejyX7Tyhi3hFAY3k8r20W+Ry4pi  
Fgb3lJ9mjtso+EjKqhdrhiv19wR7s6bOnMsKsasdFTrNbTl/BOWgu5ORCZryK7pu  
oP59eniJQSidnYcUOeY6SXpKesNow4JPjQOlYTr5uPKO42FLR48W6csoAlju6eZq  
l4yNdOECOy83VWJaQm6f1yEllVqUkGoDHOfcQDPQpfWAxsc4mSYWqnn+IxmIkgc=  
=4Ju5  
-----END PGP SIGNATURE-----  
  
  
`